39 #include "utils/fmgroids.h"
80 #define GRANT_ROLE_SPECIFIED_ADMIN 0x0001
81 #define GRANT_ROLE_SPECIFIED_INHERIT 0x0002
82 #define GRANT_ROLE_SPECIFIED_SET 0x0004
115 bool revoke_admin_option_only,
137 Datum new_record[Natts_pg_authid] = {0};
138 bool new_record_nulls[Natts_pg_authid] = {0};
144 bool issuper =
false;
146 bool createrole =
false;
148 bool canlogin =
false;
149 bool isreplication =
false;
150 bool bypassrls =
false;
155 char *validUntil = NULL;
156 Datum validUntil_datum;
157 bool validUntil_null;
164 DefElem *disreplication = NULL;
174 switch (
stmt->stmt_type)
191 if (strcmp(defel->
defname,
"password") == 0)
197 else if (strcmp(defel->
defname,
"sysid") == 0)
200 (
errmsg(
"SYSID can no longer be specified")));
202 else if (strcmp(defel->
defname,
"superuser") == 0)
208 else if (strcmp(defel->
defname,
"inherit") == 0)
214 else if (strcmp(defel->
defname,
"createrole") == 0)
220 else if (strcmp(defel->
defname,
"createdb") == 0)
226 else if (strcmp(defel->
defname,
"canlogin") == 0)
232 else if (strcmp(defel->
defname,
"isreplication") == 0)
236 disreplication = defel;
238 else if (strcmp(defel->
defname,
"connectionlimit") == 0)
244 else if (strcmp(defel->
defname,
"addroleto") == 0)
250 else if (strcmp(defel->
defname,
"rolemembers") == 0)
254 drolemembers = defel;
256 else if (strcmp(defel->
defname,
"adminmembers") == 0)
260 dadminmembers = defel;
262 else if (strcmp(defel->
defname,
"validUntil") == 0)
268 else if (strcmp(defel->
defname,
"bypassrls") == 0)
275 elog(
ERROR,
"option \"%s\" not recognized",
279 if (dpassword && dpassword->
arg)
298 (
errcode(ERRCODE_INVALID_PARAMETER_VALUE),
299 errmsg(
"invalid connection limit: %d", connlimit)));
302 addroleto = (
List *) daddroleto->
arg;
304 rolemembers = (
List *) drolemembers->
arg;
306 adminmembers = (
List *) dadminmembers->
arg;
317 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
318 errmsg(
"permission denied to create role"),
319 errdetail(
"Only roles with the %s attribute may create roles.",
323 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
324 errmsg(
"permission denied to create role"),
325 errdetail(
"Only roles with the %s attribute may create roles with the %s attribute.",
326 "SUPERUSER",
"SUPERUSER")));
329 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
330 errmsg(
"permission denied to create role"),
331 errdetail(
"Only roles with the %s attribute may create roles with the %s attribute.",
332 "CREATEDB",
"CREATEDB")));
335 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
336 errmsg(
"permission denied to create role"),
337 errdetail(
"Only roles with the %s attribute may create roles with the %s attribute.",
338 "REPLICATION",
"REPLICATION")));
341 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
342 errmsg(
"permission denied to create role"),
343 errdetail(
"Only roles with the %s attribute may create roles with the %s attribute.",
344 "BYPASSRLS",
"BYPASSRLS")));
353 (
errcode(ERRCODE_RESERVED_NAME),
354 errmsg(
"role name \"%s\" is reserved",
356 errdetail(
"Role names starting with \"pg_\" are reserved.")));
362 #ifdef ENFORCE_REGRESSION_TEST_NAME_RESTRICTIONS
363 if (strncmp(
stmt->role,
"regress_", 8) != 0)
364 elog(
WARNING,
"roles created by regression test cases should have names starting with \"regress_\"");
377 errmsg(
"role \"%s\" already exists",
387 validUntil_null =
false;
391 validUntil_datum = (
Datum) 0;
392 validUntil_null =
true;
399 (*check_password_hook) (
stmt->role,
408 new_record[Anum_pg_authid_rolname - 1] =
410 new_record[Anum_pg_authid_rolsuper - 1] =
BoolGetDatum(issuper);
411 new_record[Anum_pg_authid_rolinherit - 1] =
BoolGetDatum(inherit);
412 new_record[Anum_pg_authid_rolcreaterole - 1] =
BoolGetDatum(createrole);
414 new_record[Anum_pg_authid_rolcanlogin - 1] =
BoolGetDatum(canlogin);
415 new_record[Anum_pg_authid_rolreplication - 1] =
BoolGetDatum(isreplication);
416 new_record[Anum_pg_authid_rolconnlimit - 1] =
Int32GetDatum(connlimit);
421 const char *logdetail = NULL;
439 (
errmsg(
"empty string is not a valid password, clearing password")));
440 new_record_nulls[Anum_pg_authid_rolpassword - 1] =
true;
447 new_record[Anum_pg_authid_rolpassword - 1] =
452 new_record_nulls[Anum_pg_authid_rolpassword - 1] =
true;
454 new_record[Anum_pg_authid_rolvaliduntil - 1] = validUntil_datum;
455 new_record_nulls[Anum_pg_authid_rolvaliduntil - 1] = validUntil_null;
457 new_record[Anum_pg_authid_rolbypassrls - 1] =
BoolGetDatum(bypassrls);
467 (
errcode(ERRCODE_INVALID_PARAMETER_VALUE),
468 errmsg(
"pg_authid OID value not set when in binary upgrade mode")));
492 if (addroleto || adminmembers || rolemembers)
511 foreach(item, addroleto)
516 Oid oldroleid = oldroleform->oid;
517 char *oldrolename =
NameStr(oldroleform->rolname);
554 poptself.
admin =
true;
556 poptself.
set =
false;
559 memberSpecs, memberIds,
560 BOOTSTRAP_SUPERUSERID, &poptself);
579 memberSpecs, memberIds,
621 Datum new_record[Natts_pg_authid] = {0};
622 bool new_record_nulls[Natts_pg_authid] = {0};
623 bool new_record_repl[Natts_pg_authid] = {0};
633 char *validUntil = NULL;
634 Datum validUntil_datum;
635 bool validUntil_null;
642 DefElem *disreplication = NULL;
652 _(
"Cannot alter reserved roles."));
659 if (strcmp(defel->
defname,
"password") == 0)
665 else if (strcmp(defel->
defname,
"superuser") == 0)
671 else if (strcmp(defel->
defname,
"inherit") == 0)
677 else if (strcmp(defel->
defname,
"createrole") == 0)
683 else if (strcmp(defel->
defname,
"createdb") == 0)
689 else if (strcmp(defel->
defname,
"canlogin") == 0)
695 else if (strcmp(defel->
defname,
"isreplication") == 0)
699 disreplication = defel;
701 else if (strcmp(defel->
defname,
"connectionlimit") == 0)
707 else if (strcmp(defel->
defname,
"rolemembers") == 0 &&
712 drolemembers = defel;
714 else if (strcmp(defel->
defname,
"validUntil") == 0)
720 else if (strcmp(defel->
defname,
"bypassrls") == 0)
727 elog(
ERROR,
"option \"%s\" not recognized",
731 if (dpassword && dpassword->
arg)
738 (
errcode(ERRCODE_INVALID_PARAMETER_VALUE),
739 errmsg(
"invalid connection limit: %d", connlimit)));
753 roleid = authform->oid;
758 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
759 errmsg(
"permission denied to alter role"),
760 errdetail(
"Only roles with the %s attribute may alter roles with the %s attribute.",
761 "SUPERUSER",
"SUPERUSER")));
764 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
765 errmsg(
"permission denied to alter role"),
766 errdetail(
"Only roles with the %s attribute may change the %s attribute.",
767 "SUPERUSER",
"SUPERUSER")));
777 if (dinherit || dcreaterole || dcreatedb || dcanlogin || dconnlimit ||
778 dvalidUntil || disreplication || dbypassRLS)
780 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
781 errmsg(
"permission denied to alter role"),
782 errdetail(
"Only roles with the %s attribute and the %s option on role \"%s\" may alter this role.",
783 "CREATEROLE",
"ADMIN", rolename)));
786 if (dpassword && roleid != currentUserId)
788 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
789 errmsg(
"permission denied to alter role"),
790 errdetail(
"To change another role's password, the current user must have the %s attribute and the %s option on the role.",
791 "CREATEROLE",
"ADMIN")));
802 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
803 errmsg(
"permission denied to alter role"),
804 errdetail(
"Only roles with the %s attribute may change the %s attribute.",
805 "CREATEDB",
"CREATEDB")));
808 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
809 errmsg(
"permission denied to alter role"),
810 errdetail(
"Only roles with the %s attribute may change the %s attribute.",
811 "REPLICATION",
"REPLICATION")));
814 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
815 errmsg(
"permission denied to alter role"),
816 errdetail(
"Only roles with the %s attribute may change the %s attribute.",
817 "BYPASSRLS",
"BYPASSRLS")));
823 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
824 errmsg(
"permission denied to alter role"),
825 errdetail(
"Only roles with the %s option on role \"%s\" may add members.",
826 "ADMIN", rolename)));
835 validUntil_null =
false;
841 Anum_pg_authid_rolvaliduntil,
849 (*check_password_hook) (rolename,
864 bool should_be_super =
boolVal(dissuper->
arg);
866 if (!should_be_super && roleid == BOOTSTRAP_SUPERUSERID)
868 (
errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
869 errmsg(
"permission denied to alter role"),
870 errdetail(
"The bootstrap superuser must have the %s attribute.",
873 new_record[Anum_pg_authid_rolsuper - 1] =
BoolGetDatum(should_be_super);
874 new_record_repl[Anum_pg_authid_rolsuper - 1] =
true;
880 new_record_repl[Anum_pg_authid_rolinherit - 1] =
true;
886 new_record_repl[Anum_pg_authid_rolcreaterole - 1] =
true;
892 new_record_repl[Anum_pg_authid_rolcreatedb - 1] =
true;
898 new_record_repl[Anum_pg_authid_rolcanlogin - 1] =
true;
904 new_record_repl[Anum_pg_authid_rolreplication - 1] =
true;
909 new_record[Anum_pg_authid_rolconnlimit - 1] =
Int32GetDatum(connlimit);
910 new_record_repl[Anum_pg_authid_rolconnlimit - 1] =
true;
917 const char *logdetail = NULL;
924 (
errmsg(
"empty string is not a valid password, clearing password")));
925 new_record_nulls[Anum_pg_authid_rolpassword - 1] =
true;
932 new_record[Anum_pg_authid_rolpassword - 1] =
935 new_record_repl[Anum_pg_authid_rolpassword - 1] =
true;
939 if (dpassword && dpassword->
arg == NULL)
941 new_record_repl[Anum_pg_authid_rolpassword - 1] =
true;
942 new_record_nulls[Anum_pg_authid_rolpassword - 1] =
true;
946 new_record[Anum_pg_authid_rolvaliduntil - 1] = validUntil_datum;
947 new_record_nulls[Anum_pg_authid_rolvaliduntil - 1] = validUntil_null;
948 new_record_repl[Anum_pg_authid_rolvaliduntil - 1] =
true;
953 new_record_repl[Anum_pg_authid_rolbypassrls - 1] =
true;
957 new_record_nulls, new_record_repl);
977 if (
stmt->action == +1)
981 else if (
stmt->action == -1)
1010 _(
"Cannot alter reserved roles."));
1014 roleid = roleform->oid;
1027 if (roleform->rolsuper)
1031 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1032 errmsg(
"permission denied to alter role"),
1033 errdetail(
"Only roles with the %s attribute may alter roles with the %s attribute.",
1034 "SUPERUSER",
"SUPERUSER")));
1042 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1043 errmsg(
"permission denied to alter role"),
1044 errdetail(
"Only roles with the %s attribute and the %s option on role \"%s\" may alter this role.",
1045 "CREATEROLE",
"ADMIN",
NameStr(roleform->rolname))));
1052 if (
stmt->database != NULL)
1069 if (!
stmt->role && !
stmt->database)
1074 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1075 errmsg(
"permission denied to alter setting"),
1076 errdetail(
"Only roles with the %s attribute may alter settings globally.",
1093 pg_auth_members_rel;
1099 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1100 errmsg(
"permission denied to drop role"),
1101 errdetail(
"Only roles with the %s attribute and the %s option on the target roles may drop roles.",
1102 "CREATEROLE",
"ADMIN")));
1111 foreach(item,
stmt->roles)
1124 (
errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1125 errmsg(
"cannot use special role specifier in DROP ROLE")));
1131 if (!
stmt->missing_ok)
1134 (
errcode(ERRCODE_UNDEFINED_OBJECT),
1135 errmsg(
"role \"%s\" does not exist", role)));
1140 (
errmsg(
"role \"%s\" does not exist, skipping",
1148 roleid = roleform->oid;
1152 (
errcode(ERRCODE_OBJECT_IN_USE),
1153 errmsg(
"current user cannot be dropped")));
1156 (
errcode(ERRCODE_OBJECT_IN_USE),
1157 errmsg(
"current user cannot be dropped")));
1160 (
errcode(ERRCODE_OBJECT_IN_USE),
1161 errmsg(
"session user cannot be dropped")));
1170 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1171 errmsg(
"permission denied to drop role"),
1172 errdetail(
"Only roles with the %s attribute may drop roles with the %s attribute.",
1173 "SUPERUSER",
"SUPERUSER")));
1176 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1177 errmsg(
"permission denied to drop role"),
1178 errdetail(
"Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.",
1179 "CREATEROLE",
"ADMIN",
NameStr(roleform->rolname))));
1211 Anum_pg_auth_members_roleid,
1216 true, NULL, 1, &scankey);
1224 authmem_form->oid, 0);
1231 Anum_pg_auth_members_member,
1236 true, NULL, 1, &scankey);
1244 authmem_form->oid, 0);
1268 foreach(item, role_oids)
1285 elog(
ERROR,
"could not find tuple for role %u", roleid);
1296 &detail, &detail_log))
1298 (
errcode(ERRCODE_DEPENDENT_OBJECTS_STILL_EXIST),
1299 errmsg(
"role \"%s\" cannot be dropped because some objects depend on it",
1342 Datum repl_val[Natts_pg_authid];
1343 bool repl_null[Natts_pg_authid];
1344 bool repl_repl[Natts_pg_authid];
1356 (
errcode(ERRCODE_UNDEFINED_OBJECT),
1357 errmsg(
"role \"%s\" does not exist", oldname)));
1368 roleid = authform->oid;
1372 (
errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
1373 errmsg(
"session user cannot be renamed")));
1376 (
errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
1377 errmsg(
"current user cannot be renamed")));
1385 (
errcode(ERRCODE_RESERVED_NAME),
1386 errmsg(
"role name \"%s\" is reserved",
1388 errdetail(
"Role names starting with \"pg_\" are reserved.")));
1392 (
errcode(ERRCODE_RESERVED_NAME),
1393 errmsg(
"role name \"%s\" is reserved",
1395 errdetail(
"Role names starting with \"pg_\" are reserved.")));
1401 #ifdef ENFORCE_REGRESSION_TEST_NAME_RESTRICTIONS
1402 if (strncmp(newname,
"regress_", 8) != 0)
1403 elog(
WARNING,
"roles created by regression test cases should have names starting with \"regress_\"");
1410 errmsg(
"role \"%s\" already exists", newname)));
1416 if (authform->rolsuper)
1420 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1421 errmsg(
"permission denied to rename role"),
1422 errdetail(
"Only roles with the %s attribute may rename roles with the %s attribute.",
1423 "SUPERUSER",
"SUPERUSER")));
1430 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1431 errmsg(
"permission denied to rename role"),
1432 errdetail(
"Only roles with the %s attribute and the %s option on role \"%s\" may rename this role.",
1433 "CREATEROLE",
"ADMIN",
NameStr(authform->rolname))));
1437 for (
i = 0;
i < Natts_pg_authid;
i++)
1438 repl_repl[
i] =
false;
1440 repl_repl[Anum_pg_authid_rolname - 1] =
true;
1443 repl_null[Anum_pg_authid_rolname - 1] =
false;
1445 datum =
heap_getattr(oldtuple, Anum_pg_authid_rolpassword, dsc, &isnull);
1450 repl_repl[Anum_pg_authid_rolpassword - 1] =
true;
1451 repl_null[Anum_pg_authid_rolpassword - 1] =
true;
1454 (
errmsg(
"MD5 password cleared because of role rename")));
1491 foreach(item,
stmt->opt)
1496 if (strcmp(opt->
defname,
"admin") == 0)
1503 else if (strcmp(opt->
defname,
"inherit") == 0)
1509 else if (strcmp(opt->
defname,
"set") == 0)
1517 errcode(ERRCODE_SYNTAX_ERROR),
1522 (
errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1523 errmsg(
"unrecognized value for role option \"%s\": \"%s\"",
1546 foreach(item,
stmt->granted_roles)
1553 if (rolename == NULL || priv->
cols !=
NIL)
1555 (
errcode(ERRCODE_INVALID_GRANT_OPERATION),
1556 errmsg(
"column names cannot be included in GRANT/REVOKE ROLE")));
1560 roleid,
stmt->is_grant);
1563 stmt->grantee_roles, grantee_ids,
1567 stmt->grantee_roles, grantee_ids,
1568 grantor, &popt,
stmt->behavior);
1589 foreach(cell, role_ids)
1595 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1596 errmsg(
"permission denied to drop objects"),
1597 errdetail(
"Only roles with privileges of role \"%s\" may drop objects owned by it.",
1618 foreach(cell, role_ids)
1624 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1625 errmsg(
"permission denied to reassign objects"),
1626 errdetail(
"Only roles with privileges of role \"%s\" may reassign objects owned by it.",
1635 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
1636 errmsg(
"permission denied to reassign objects"),
1637 errdetail(
"Only roles with privileges of role \"%s\" may reassign objects to it.",
1657 foreach(l, memberNames)
1682 List *memberSpecs,
List *memberIds,
1707 forboth(specitem, memberSpecs, iditem, memberIds)
1731 if (memberid == ROLE_PG_DATABASE_OWNER)
1733 errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
1734 errmsg(
"role \"%s\" cannot be a member of any role",
1746 (
errcode(ERRCODE_INVALID_GRANT_OPERATION),
1747 errmsg(
"role \"%s\" is a member of role \"%s\"",
1765 if (popt->
admin && grantorId != BOOTSTRAP_SUPERUSERID)
1780 foreach(iditem, memberIds)
1784 if (memberid == BOOTSTRAP_SUPERUSERID)
1786 (
errcode(ERRCODE_INVALID_GRANT_OPERATION),
1787 errmsg(
"%s option cannot be granted back to your own grantor",
1806 authmem_form->member == grantorId &&
1807 authmem_form->admin_option)
1812 (
errcode(ERRCODE_INVALID_GRANT_OPERATION),
1813 errmsg(
"%s option cannot be granted back to your own grantor",
1820 forboth(specitem, memberSpecs, iditem, memberIds)
1826 Datum new_record[Natts_pg_auth_members] = {0};
1827 bool new_record_nulls[Natts_pg_auth_members] = {0};
1828 bool new_record_repl[Natts_pg_auth_members] = {0};
1831 new_record[Anum_pg_auth_members_roleid - 1] =
1833 new_record[Anum_pg_auth_members_member - 1] =
1835 new_record[Anum_pg_auth_members_grantor - 1] =
1853 bool at_least_one_change =
false;
1858 && authmem_form->admin_option != popt->
admin)
1860 new_record[Anum_pg_auth_members_admin_option - 1] =
1862 new_record_repl[Anum_pg_auth_members_admin_option - 1] =
1864 at_least_one_change =
true;
1868 && authmem_form->inherit_option != popt->
inherit)
1870 new_record[Anum_pg_auth_members_inherit_option - 1] =
1872 new_record_repl[Anum_pg_auth_members_inherit_option - 1] =
1874 at_least_one_change =
true;
1878 && authmem_form->set_option != popt->
set)
1880 new_record[Anum_pg_auth_members_set_option - 1] =
1882 new_record_repl[Anum_pg_auth_members_set_option - 1] =
1884 at_least_one_change =
true;
1887 if (!at_least_one_change)
1890 (
errmsg(
"role \"%s\" has already been granted membership in role \"%s\" by role \"%s\"",
1899 new_record_nulls, new_record_repl);
1914 new_record[Anum_pg_auth_members_admin_option - 1] =
1916 new_record[Anum_pg_auth_members_set_option - 1] =
1925 new_record[Anum_pg_auth_members_inherit_option - 1] =
1934 elog(
ERROR,
"cache lookup failed for role %u", memberid);
1936 new_record[Anum_pg_auth_members_inherit_option - 1] =
1943 Anum_pg_auth_members_oid);
1944 new_record[Anum_pg_auth_members_oid - 1] = objectId;
1946 new_record, new_record_nulls);
1950 newmembers[0] = grantorId;
1980 List *memberSpecs,
List *memberIds,
2016 forboth(specitem, memberSpecs, iditem, memberIds)
2025 (
errmsg(
"role \"%s\" has not been granted membership in role \"%s\" by role \"%s\"",
2055 authmem_form->oid, 0);
2062 Datum new_record[Natts_pg_auth_members] = {0};
2063 bool new_record_nulls[Natts_pg_auth_members] = {0};
2064 bool new_record_repl[Natts_pg_auth_members] = {0};
2069 new_record[Anum_pg_auth_members_admin_option - 1] =
2071 new_record_repl[Anum_pg_auth_members_admin_option - 1] =
2076 new_record[Anum_pg_auth_members_inherit_option - 1] =
2078 new_record_repl[Anum_pg_auth_members_inherit_option - 1] =
2083 new_record[Anum_pg_auth_members_set_option - 1] =
2085 new_record_repl[Anum_pg_auth_members_set_option - 1] =
2089 elog(
ERROR,
"unknown role revoke action");
2093 new_record_nulls, new_record_repl);
2123 if (is_grant && roleid == ROLE_PG_DATABASE_OWNER)
2125 errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
2126 errmsg(
"role \"%s\" cannot have explicit members",
2136 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
2137 errmsg(
"permission denied to grant role \"%s\"",
2139 errdetail(
"Only roles with the %s attribute may grant roles with the %s attribute.",
2140 "SUPERUSER",
"SUPERUSER")));
2143 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
2144 errmsg(
"permission denied to revoke role \"%s\"",
2146 errdetail(
"Only roles with the %s attribute may revoke roles with the %s attribute.",
2147 "SUPERUSER",
"SUPERUSER")));
2159 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
2160 errmsg(
"permission denied to grant role \"%s\"",
2162 errdetail(
"Only roles with the %s option on role \"%s\" may grant this role.",
2166 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
2167 errmsg(
"permission denied to revoke role \"%s\"",
2169 errdetail(
"Only roles with the %s option on role \"%s\" may revoke this role.",
2216 return BOOTSTRAP_SUPERUSERID;
2248 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
2249 errmsg(
"permission denied to grant privileges as role \"%s\"",
2251 errdetail(
"Only roles with privileges of role \"%s\" may grant privileges as this role.",
2254 if (grantorId != BOOTSTRAP_SUPERUSERID &&
2257 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
2258 errmsg(
"permission denied to grant privileges as role \"%s\"",
2260 errdetail(
"The grantor must have the %s option on role \"%s\".",
2267 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
2268 errmsg(
"permission denied to revoke privileges granted by role \"%s\"",
2270 errdetail(
"Only roles with privileges of role \"%s\" may revoke privileges granted by this role.",
2345 if (authmem_form->member == member &&
2346 authmem_form->grantor == grantor)
2363 bool revoke_admin_option_only;
2369 revoke_admin_option_only =
2372 revoke_admin_option_only, behavior);
2404 if (authmem_form->member == member)
2419 bool would_still_have_admin_option =
false;
2428 revoke_admin_option_only)
2441 if (!revoke_admin_option_only)
2444 if (!authmem_form->admin_option)
2449 if (!authmem_form->admin_option)
2463 if (am_cascade_form->member == authmem_form->member &&
2464 am_cascade_form->admin_option && actions[
i] ==
RRG_NOOP)
2466 would_still_have_admin_option =
true;
2472 if (would_still_have_admin_option)
2487 if (am_cascade_form->grantor == authmem_form->member &&
2492 (
errcode(ERRCODE_DEPENDENT_OBJECTS_STILL_EXIST),
2493 errmsg(
"dependent privileges exist"),
2494 errhint(
"Use CASCADE to revoke them too.")));
2508 popt->
admin =
false;
2537 foreach(l, elemlist)
2539 char *tok = (
char *)
lfirst(l);
2570 unsigned options = *(
unsigned *) extra;
bool is_admin_of_role(Oid member, Oid role)
char * get_rolespec_name(const RoleSpec *role)
Oid select_best_admin(Oid member, Oid role)
bool is_member_of_role_nosuper(Oid member, Oid role)
bool has_privs_of_role(Oid member, Oid role)
Oid get_role_oid(const char *rolname, bool missing_ok)
void check_rolespec_name(const RoleSpec *role, const char *detail_msg)
Oid get_rolespec_oid(const RoleSpec *role, bool missing_ok)
HeapTuple get_rolespec_tuple(const RoleSpec *role)
bool has_bypassrls_privilege(Oid roleid)
void aclcheck_error(AclResult aclerr, ObjectType objtype, const char *objectname)
bool object_ownercheck(Oid classid, Oid objectid, Oid roleid)
bool has_createrole_privilege(Oid roleid)
Datum timestamptz_in(PG_FUNCTION_ARGS)
bool parse_bool(const char *value, bool *result)
#define CStringGetTextDatum(s)
#define TextDatumGetCString(d)
#define Assert(condition)
#define OidIsValid(objectId)
Oid GetNewOidWithIndex(Relation relation, Oid indexId, AttrNumber oidcolumn)
bool IsReservedName(const char *name)
int plain_crypt_verify(const char *role, const char *shadow_pass, const char *client_pass, const char **logdetail)
PasswordType get_password_type(const char *shadow_pass)
char * encrypt_password(PasswordType target_type, const char *role, const char *password)
@ PASSWORD_TYPE_SCRAM_SHA_256
bool have_createdb_privilege(void)
Oid get_database_oid(const char *dbname, bool missing_ok)
Oid createdb(ParseState *pstate, const CreatedbStmt *stmt)
char * defGetString(DefElem *def)
void errorConflictingDefElem(DefElem *defel, ParseState *pstate)
int errdetail_internal(const char *fmt,...)
int errdetail(const char *fmt,...)
int errhint(const char *fmt,...)
int errcode(int sqlerrcode)
int errmsg(const char *fmt,...)
int errdetail_log(const char *fmt,...)
#define ereport(elevel,...)
#define DirectFunctionCall1(func, arg1)
#define DirectFunctionCall3(func, arg1, arg2, arg3)
void systable_endscan(SysScanDesc sysscan)
HeapTuple systable_getnext(SysScanDesc sysscan)
SysScanDesc systable_beginscan(Relation heapRelation, Oid indexId, bool indexOK, Snapshot snapshot, int nkeys, ScanKey key)
void * guc_malloc(int elevel, size_t size)
#define GUC_check_errdetail
HeapTuple heap_modify_tuple(HeapTuple tuple, TupleDesc tupleDesc, const Datum *replValues, const bool *replIsnull, const bool *doReplace)
HeapTuple heap_form_tuple(TupleDesc tupleDescriptor, const Datum *values, const bool *isnull)
void heap_freetuple(HeapTuple htup)
#define HeapTupleIsValid(tuple)
static Datum heap_getattr(HeapTuple tup, int attnum, TupleDesc tupleDesc, bool *isnull)
void CatalogTupleUpdate(Relation heapRel, ItemPointer otid, HeapTuple tup)
void CatalogTupleInsert(Relation heapRel, HeapTuple tup)
void CatalogTupleDelete(Relation heapRel, ItemPointer tid)
if(TABLE==NULL||TABLE_index==NULL)
List * lappend_oid(List *list, Oid datum)
void list_free(List *list)
List * list_append_unique_oid(List *list, Oid datum)
void LockSharedObject(Oid classid, Oid objid, uint16 objsubid, LOCKMODE lockmode)
#define AccessExclusiveLock
#define ShareUpdateExclusiveLock
char * pstrdup(const char *in)
void pfree(void *pointer)
char * GetUserNameFromId(Oid roleid, bool noerr)
Oid GetSessionUserId(void)
bool has_rolreplication(Oid roleid)
Datum namein(PG_FUNCTION_ARGS)
#define InvokeObjectPostCreateHook(classId, objectId, subId)
#define InvokeObjectPostAlterHook(classId, objectId, subId)
#define InvokeObjectDropHook(classId, objectId, subId)
#define ObjectAddressSet(addr, class_id, object_id)
int parser_errposition(ParseState *pstate, int location)
FormData_pg_auth_members * Form_pg_auth_members
FormData_pg_authid * Form_pg_authid
int pg_popcount32(uint32 word)
void DropSetting(Oid databaseid, Oid roleid)
void AlterSetting(Oid databaseid, Oid roleid, VariableSetStmt *setstmt)
#define lfirst_node(type, lc)
static int list_length(const List *l)
#define forboth(cell1, list1, cell2, list2)
#define list_make1_oid(x1)
static rewind_source * source
void deleteSharedDependencyRecordsFor(Oid classId, Oid objectId, int32 objectSubId)
void updateAclDependencies(Oid classId, Oid objectId, int32 objsubId, Oid ownerId, int noldmembers, Oid *oldmembers, int nnewmembers, Oid *newmembers)
bool checkSharedDependencies(Oid classId, Oid objectId, char **detail_msg, char **detail_log_msg)
void shdepDropOwned(List *roleids, DropBehavior behavior)
void shdepLockAndCheckObject(Oid classId, Oid objectId)
void shdepReassignOwned(List *roleids, Oid newrole)
int pg_strcasecmp(const char *s1, const char *s2)
static Datum PointerGetDatum(const void *X)
static Datum BoolGetDatum(bool X)
static Datum ObjectIdGetDatum(Oid X)
static Datum CStringGetDatum(const char *X)
static Datum Int32GetDatum(int32 X)
#define RelationGetDescr(relation)
void ScanKeyInit(ScanKey entry, AttrNumber attributeNumber, StrategyNumber strategy, RegProcedure procedure, Datum argument)
void DeleteSharedSecurityLabel(Oid objectId, Oid classId)
#define BTEqualStrategyNumber
#define ERRCODE_DUPLICATE_OBJECT
CatCTup * members[FLEXIBLE_ARRAY_MEMBER]
bool superuser_arg(Oid roleid)
void ReleaseSysCache(HeapTuple tuple)
HeapTuple SearchSysCache1(int cacheId, Datum key1)
HeapTuple SearchSysCache3(int cacheId, Datum key1, Datum key2, Datum key3)
Datum SysCacheGetAttr(int cacheId, HeapTuple tup, AttrNumber attributeNumber, bool *isNull)
#define ReleaseSysCacheList(x)
#define SearchSysCacheList1(cacheId, key1)
#define SearchSysCacheExists1(cacheId, key1)
void table_close(Relation relation, LOCKMODE lockmode)
Relation table_open(Oid relationId, LOCKMODE lockmode)
static bool have_createrole_privilege(void)
ObjectAddress RenameRole(const char *oldname, const char *newname)
#define GRANT_ROLE_SPECIFIED_ADMIN
static bool plan_single_revoke(CatCList *memlist, RevokeRoleGrantAction *actions, Oid member, Oid grantor, GrantRoleOptions *popt, DropBehavior behavior)
static GrantRoleOptions createrole_self_grant_options
static void InitGrantRoleOptions(GrantRoleOptions *popt)
static void plan_member_revoke(CatCList *memlist, RevokeRoleGrantAction *actions, Oid member)
static void AddRoleMems(Oid currentUserId, const char *rolename, Oid roleid, List *memberSpecs, List *memberIds, Oid grantorId, GrantRoleOptions *popt)
void ReassignOwnedObjects(ReassignOwnedStmt *stmt)
Oid AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
static bool createrole_self_grant_enabled
#define GRANT_ROLE_SPECIFIED_SET
Oid AlterRoleSet(AlterRoleSetStmt *stmt)
static Oid check_role_grantor(Oid currentUserId, Oid roleid, Oid grantorId, bool is_grant)
bool check_createrole_self_grant(char **newval, void **extra, GucSource source)
void assign_createrole_self_grant(const char *newval, void *extra)
static void check_role_membership_authorization(Oid currentUserId, Oid roleid, bool is_grant)
Oid binary_upgrade_next_pg_authid_oid
#define GRANT_ROLE_SPECIFIED_INHERIT
void DropRole(DropRoleStmt *stmt)
Oid CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
void GrantRole(ParseState *pstate, GrantRoleStmt *stmt)
static void plan_recursive_revoke(CatCList *memlist, RevokeRoleGrantAction *actions, int index, bool revoke_admin_option_only, DropBehavior behavior)
List * roleSpecsToIds(List *memberNames)
char * createrole_self_grant
check_password_hook_type check_password_hook
@ RRG_REMOVE_INHERIT_OPTION
@ RRG_REMOVE_ADMIN_OPTION
static RevokeRoleGrantAction * initialize_revoke_actions(CatCList *memlist)
void DropOwnedObjects(DropOwnedStmt *stmt)
static void DelRoleMems(Oid currentUserId, const char *rolename, Oid roleid, List *memberSpecs, List *memberIds, Oid grantorId, GrantRoleOptions *popt, DropBehavior behavior)
void(* check_password_hook_type)(const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null)
bool SplitIdentifierString(char *rawstring, char separator, List **namelist)
void CommandCounterIncrement(void)